|
The Web Hacking Incidents Database
Last update:07 November 2007
List of incidents for 2007
Other years: 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
There are 55 incidents for 2007
Date: 05 November 2007
Incident Type: Security Breach
WASC Threat Classification: Denial of Service
Seems that the there is a new trend to disrupt on line bidding using denial of service attacks. In this case, an auction for 37 very expensive watches was halted 20 minutes before the end as the site crashed, in what official sources describe as a hacker attack that did not result in a site compromise.
References:
Date: 02 November 2007
Incident Type: Security Breach
WASC Threat Classification: Abuse of Functionality
While most WHID entries are about web
site breaches, sometimes vulnerability in a web application is used indirectly. Redirection functions in web applications are commonly used by spammers and phishers. It allows them
to include a honest looking URL in their e-mail, this way bypassing
spam filters and observant users.
Symantec response team found actively
used alternative in the best known page on the internet: Google primary search page. By using the Google famous "I feel lucky" feature, the spammer can automatically lead the victim to
the first result of a search. All the spammer is left with is finding a
query for which his site would pop up first on Google.
This method has another advantage over a redirection page,
as the final target is specified by a search string and not by a URL,
bypassing smarter filters that know, or learn, that a URL as a parameter of a URL is most probably redirection.
References:
Date: 28 October 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
A hacker gained access to names and encrypted credit card numbers of Arts.com. While the reason is not known, since the information is known to belong to online shoppers who made transactions from July to September we assume it was a web site breach.
References:
Date: 23 October 2007
Incident Type: Security Breach
WASC Threat Classification: Denial of Service
The site of the Rockies was taken down by a denial of service preventing fans from buying tickets for the World Series games.
Like any DDoS attack, it is very hard to know if it was an application layer or network layer attack, but since this attack had a very significant financial impact by crippling a web site, we think it deserve a place in WHID.
References:
Date: 10 October 2007
Incident Type: Security Breach
WASC Threat Classification: SQL Injection
3,000 records were exposed and 20 actually stolen at Commerce Bank, a small bank in Central USA. While the vulnerability exploited is not clear, SQL injection was mentioned. Therefore the record is uncertain and based on further information, it might be withdrawn.
References:
Date: 09 October 2007
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting
Using XSS on the sites of both Australian major political parties a security researcher nicknamed Bsoric caused the Liberal Party's Web site to read: "John Howard says: I want to suck your blood", while another script caused a window to pop up on the Labor Party's Web site, urging viewers to "Vote Liberal!"
References:
Date: 09 October 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
Information including birth date and social security number of 1400 students who enrolled online to the Montana State University has been stolen by hackers. While no technical explanation is provided, the fact that only students who enrolled online where affected points to a web site breach.
References:
Date: 06 October 2007
Incident Type: Security Breach
WASC Threat Classification: Other
A hacker exploited a leftover admin function on eBay to block users and close sales.
References:
Date: 03 October 2007
Incident Type: Security Breach
WASC Threat Classification: unknown
Defacement are a dime a dozen this days, and are not normally reported by WHID. Even invisible defacements in which sites are changed in order to infect their clients with malicious code are becoming too common. But this time it is the site of a security organization, and not just any one, but China's internet security organization. So in the light of the hot debate about china as the source of all hacking, we think that this story has a value.
References:
Date: 02 October 2007
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization
Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible via the Internet because of a weakness in the district's computer system. The information, including names, birth dates and Social Security numbers, was available from May until Oct. 2, when school officials learned of the problem.
References:
Date: 30 September 2007
Incident Type: Security Breach
WASC Threat Classification: SQL Injection
The web servers of Scarborough & Tweed, a company that does business online selling corporate gifts online, were compromised and information about 570 customers may have been accessed using an SQL injection attack. The information includes customers' names, addresses, telephone numbers, account numbers, and credit card numbers.
References:
Date: 23 September 2007
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
A small XSS vulnerably caught RSnake eyes. What makes it different, after all xssed.com lists thousands and thousands of those? What caught RSnames eyes was the vulnerable site. TJMaxx earned the reputation as the company that suffered the biggest security breach ever. You would expect them to be more careful.
References:
Date: 18 September 2007
Incident Type: Security Breach
WASC Threat Classification: unknown
Vertical Web Media, publisher of Internet Retailer magazine, suffered a
security breach and credit card information of readers had been stolen.
The Irony is that Internet Retailed magazine is covering the risks of
e-commerce.
While the actual technique used is not known, signs are that it was a
web hack as it was done by a distributed network of bots all over the
world and since the information stolen belonged to customers who paid
online.
The information stolen includes names, addresses, e-mail addresses,
phone numbers, credit card account numbers and card expiration dates.
The number of records stolen is unknown.
References:
Date: 17 September 2007
Incident Type: Security Breach
WASC Threat Classification: Other
An Excel spreadsheet was published on containing sensitive information regarding police officers in York, England. The information included Social Security numbers of 46 offices and the home addresses of 74 offices. As a result identities of 3 offices where stolen.
While the information was pulled of line after a short period of time, it remained in the cache of several major search engines.
References:
Date: 11 September 2007
Incident Type: Security Breach
WASC Threat Classification:
An attack on New Zealand government web sites required New Zealand Prime Minister, Helen Clark to comment and ensure the public that no confidential information was stolen. However official sources in New Zealand confirm attacks were carried out by unnamed, but known, foreign governments on New Zealand government web site that resulted in stealing of information.
References:
Date: 02 September 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
This very serious hacking incident provides insight into a lot
of the failures information security in general and web application
security particularly beyond the simple fact that the web site of the
largest state owned bank in India was invisibly defaced with Trojan
inflicting code.
Firstly, the entire discussion in the references is about the
Trojan payload, with no word about the vulnerability that led to the
defacement. Actually a reviewer on the SiteAdvisor report gives the
green mark to the web site after the Trojan is removed, without
requiring any information about the actual problem.
Secondly, most trust systems, including SiteAdvisor,
completely fail to detect the breach. Which makes me think about those
trust models: they check that the site was not breached, while they
should check that the site is not vulnerable. I guess the reason is
that their primary goal is to detect intentionally malicious sites and
not breaches is normative sites, but others use them to assess the
level of security of the later.
References:
Date: 29 August 2007
Incident Type: Security Breach
WASC Threat Classification:
Still defacement but this time with a twist. This was a genuine XSS rewriting attack, and was carried out by well known people as a stunt. No information is provided on how the XSS vector found its way to the victim computers.
References:
Date: 29 August 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
Yet another defacement, and as usual in the political arena.
However, this one is worth a note as the attack is very targeted, while
usually such political defacements are carried quote randomly against
sites loosely related to the opponent and usually has little to do with
the actual message the attackers want to convey. In this case the
defacement seems to be a direct response to the hot debate about
housing prices in Spain.
References:
Date: 20 August 2007
Incident Type: Security Breach
WASC Threat Classification: Known Vulnerabity
Defacements seem to dominate the list recently, probably because they reach everywhere. Two important conclusions from this particular one are that patch management is a key problem and that it is a problem mainly at government sites across the world.
References:
Date: 12 August 2007
Incident Type: Security Breach
WASC Threat Classification: SQL Injection
Defacements are usually beyond the scope of the Web Hacking Incidents Database. We only publish those that stand out, and this one certainly stands out.
The site of the United Nations was broken into and defaced using a pretty basic SQL injection technique, and the referenced article has all the details
References:
Date: 07 August 2007
Incident Type: Security Breach
WASC Threat Classification: OS Commanding, SQL Injection
This gem is very interesting since it happened on Gentoo servers. It therefore combines transparency into the incident that only an open source project can offer with the importance and resource of a large one. As a result we have a detailed report about the vulnerability, exploit attempts and event people shouting at each other during the patching process.
What can we learn from this? That no server is secure, and that patching is hard.
References:
Date: 01 August 2007
Incident Type: Security Breach
WASC Threat Classification: OS Commanding
A command injection vulnerability at 1&1, a large German hosting provider, lead to denial of service and possible home page modification at 30 servers and up to 1700 web sites.
References:
Date: 25 July 2007
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization
In a classic case of lack of proper separation between the production and development sites, an application under production with lack of proper authentication and authorization was installed on a hospital's public web site, enabling anyone to query a database of 51,000 names, addresses and social security numbers.
References:
Date: 24 July 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
Defacements seem to start dominating this list. Alas, they are the most obvious web site hacks out there. While not every defacement is reported in the Web Hacking Incidents Database, key ones are. I included this one since the attacked web site is significant, and since it emphasizes what is becoming a major goal of attacking: politics and international affairs.
As a side note, this incident is also interesting because it was repeated after discovered and presumably fixed, which goes a long way to show how much effort there is in protecting web sites and how difficult it cab be.
References:
Date: 23 July 2007
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization
Fox News left non public files on a directory accessible to everyone on their web server.
References:
Date: 20 July 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
While defacements are usually not the bread and butter of this database, when it hits an important government site, especially of a ministry in charge of information technology, it is worth mentioning it.
References:
Date: 27 June 2007
Incident Type: Security Breach
WASC Threat Classification: SQL Injection
Yet another defacement, but with a very high profile target, and a detailed description of the attack which took advantage of an SQL injection vulnerability. The report even includes a video recording of the attack.
References:
Date: 22 June 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
As you may know, defacement usually do not find their way to WHID, especially if the method used is not known. However, since in this case the victim was the Belgian police, I though it is worth including.
References:
Date: 15 June 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
Somebody snitched names, social security number and birth dates of approximately 1500 students at the vet school of UC Davis. Indication is that the web application used by the students was as fault. The school's web site described the incident as a result of "the computer attacker being able to manipulate a university computing application to accept unauthorized commands". A disgruntled cow?
References:
Date: 13 June 2007
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authentication
If you live in a country from which you need a Visa to get to the states, you knew this would happen. The US online Visa appointment system is very open. Indeed too open. Someone in Jamaica took advantage of this to pre-allocate appointments.
While this might be classified as a business process design flaw, isn't security also about this?
References:
Date: 11 June 2007
Incident Type: Security Breach
WASC Threat Classification: Abuse of Functionality, Insufficient Anti-automation, Insufficient Session Expiration
The CNBC stock trading reality TV show was even more real than contenders thought it would be. It seems that players learned to cheat the game by opening a browser form to by a stock before closing and issuing the transaction, at the set price, only after closing, when more information is already available.
The interesting anecdote is that the person who discovered the issue has used a different, but also questionable technique of maintaining a very large number of portfolios automatically managed by automated programs using the fact that the game allowed a user to have any number of portfolios but only the best one is counted. Kosher, but stinks.
This story remind an older story about a predictable delay in a poker game that enabled gamblers to beat the house.
References:
Date: 10 June 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
The web site of the prime minister of Kerala (an Indian State) was hacked and defaced. The local police has contacted the Interpol to help in finding who is behind the web site hacking.
References:
Date: 03 June 2007
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization
A spreadsheet left on the web site of the US office of national intelligence includes secret information on the total budget of the US intelligence. Interestingly the not all the required information appears in the document, but combined with other pieces of information made available prior, the total number can be calculated.
This is a very interesting example of the sensitivity of partial data or small pieces of information and not just the big secrets.
References:
Date: 30 May 2007
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization, Predictable Resource Location
Google left some files at the wrong place at the wrong time. These files includes, surprisingly, database connection strings, including a user name and a password. Hardly news, but this time it is Google.
References:
Date: 19 May 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
References:
Date: 17 May 2007
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
I seldom add disclosures anymore to WHID, even less XSS disclosures, but since this time they were discovered in banking sites, I thought it was worth it. After all, too many times people think that application vulnerabilities are found only at less "serious" or less "important" web sites where no real damage can occur.
References:
Date: 10 May 2007
Incident Type: Security Breach
WASC Threat Classification: SQL Injection
Private Bay is a BitTorrent information exchange blog site. Hackers used an SQL Injection vulnerability in the web site to steal 1.6 million users and passwords of the site. At least the passwords where hashed, which means that the hacker would need a cracking software and only the lame passwords will be found.
This incident highlights the Web authentication problem. Just think how many of those users use the same username and password in many other sites.
References:
Date: 08 May 2007
Incident Type: Security Breach
WASC Threat Classification: SQL Injection
A report within the help desk system used to track the status of open service calls created a file that was a accessible to everyone. A hacker abused the problem to get information regarding 22,000 current and former students.
References:
Date: 23 April 2007
Incident Type: Security Breach
WASC Threat Classification: Credential/Session Prediction
The site of "Big Brother", a reality show in Australia issued duplicate session IDs to different users since the session ID pool was exhausted. Naturally, the 2nd person to get the same session ID got to see all the details of the 1st one!
References:
Date: 23 April 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
Details about 63,000 loans granted to farmers by USDA (The US department of agriculture) where posted online by mistake.
References:
Date: 19 April 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
An undisclosed vulnerability in a web application at the University of Virginia allowed hackers to access names, social security numbers and birth dates of faculty members from May 2005 until April of 2007. Approximately 5700 records where stolen in 54 distinct break-ins.
References:
Date: 27 March 2007
Incident Type: Security Breach
WASC Threat Classification: Other
An open source developer virtually defaced John McCain's MySpace page. He did not have to commit any crime, because the page pulled an image directly from the open source developer's site.
References:
Date: 10 March 2007
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authentication, Misconfiguration
A student at a community college in Sacramento who was "Googling" himself last month found disconcerting information when he typed his name into the popular Internet search engine
References:
Date: 10 March 2007
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authentication, Misconfiguration
Personal information for about 2,700 University of Idaho employees was inadvertently posted at the school's Web site for 19 days in February, though officials say it was not easy to access and there's no reason yet to believe it was misused.
References:
Date: 02 March 2007
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting, SQL Injection
While vulnerabilities in public web sites are dime a dozen this days and rarely included in WHID, a classic SQL injection in the login form on the home page of the web site of a very big company is worth an entry. In my presentation I usually claim that such vulnerabilities have disappeared years ago and then go on to show advanced SQL injection techniques. It seems that they exit.
References:
Date: 02 March 2007
Incident Type: Security Breach
WASC Threat Classification: Other
Backdoor was planted in a new official release of WordPress, the most popular blogging software in the world. It was available for download for a few days before the backdoor was located.
References:
Date: 02 March 2007
Incident Type: Security Breach
WASC Threat Classification: Misconfiguration
Personal information about 2,000 patients was mistakenly published on the hospital's web site. The leakage was discovered only when a patient found her information when "Googling" herself.
The information included personal data such as social security numbers, birth dates, address, phone number, insurance numbers and in some cases the reason for the visit.
References:
Date: 21 February 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
The personal information of about 3,000 current and former Georgia Tech employees may have been compromised.
References:
Date: 18 February 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
11,500 credit card numbers have been stolen from the web site of Johnny's Selected Seeds a small ($13M in revenue per annum) on line vendor of seeds in Main. 20 of these are known to have been abused. As usual, the hack was discovered because of fraudulent use of stolen credit cards rather than security measures used protect the web site.
The direct cost of the breach, informing customers, researching the incident and upgrading the protection of the web site cost the company tens of thousands of dollars.
References:
Date: 09 February 2007
Incident Type: Security Breach
WASC Threat Classification:
Two girls modified a schools home page by adding a note that school was closed due to a snow storm.
References:
Date: 02 February 2007
Incident Type: Security Breach
WASC Threat Classification: Other
Hackers penetrated the Dolphins stadium web site just days before the Super Bowl was held there and modified the home page to include a Trojan inflecting script.
References:
Date: 29 January 2007
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting
References:
Date: 15 January 2007
Incident Type: Security Breach
WASC Threat Classification: SQL Injection
The site of the Belgian Defense Ministry was defaced by Turks who protested a pro-Kurdish remarks by the Belgian government.
References:
Date: 11 January 2007
Incident Type: Security Breach
WASC Threat Classification: Insufficient Process Validation
A priority code, used to get free platinum pass to MacWorld Expo, was validated on the client and enabled anyone get the pass for free. While "grutz" informed the organizers about it, when going over their log files they found out that others abused the vulnerability without letting anyone know about it.
References:
Date: 03 January 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
On January 3, a hacker broke into Indiana's government web site and made off with personal information for 71,000 health care aides who obtained certifications from the state, as well as 5,600 credit card numbers from people who had paid the state through the IN.gov web site.
While officials in Indiana tried to write it off as a harmless prank played by a teenager, the U.S. Department of Justice has also been investigating the case, and they believe the same hacker is responsible for attempts on other state government web sites.
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
